wpGForm and Apache Sercurity

A while back I was contacted by a user who had deployed wpGForm on their site with a problem they wanted my help with.  In looking at it I was absolutely stumped as to why it wasn’t working.  Nothing appeared obvious – when the form was submitted, the form would be displayed again as if for the first time.  In the process of chasing down this problem I’ve added quite a bit of debug code but in the end, I found Firebug’s Net Panel incredibly useful.

In this particular case it was showing me that the form was being posted but a 403 Permission Denied response resulted.  Why?  The exact same URL worked to show the form, why wasn’t it working to process the form?  I ended up separating the rendering and processing part of the plugin thinking this was the problem (like it was on a site a couple of weeks ago) but it didn’t make any difference (although it was the right thing to do).  I was still getting 403 problems.

I was working closely with the site owner, they were nice enough to allow me to really dig into their site.  What did I find?  A bunch of plugin and theme minor issues that I chased thinking they were conflicting somehow to no avail.  I ended up opening a ticket with the hosting provider and once we clarrified the problem, they sent me so error log information:

[error] ModSecurity: Access denied with code 403 (phase 2).Match of "rx
://%{SERVER_NAME}/" against "MATCHED_VARS:gform-action" required.
[file "/usr/local/apache/conf/modsec/10_asl_rules.conf"]
[line "489"]
[id "340162"]
[rev "262"]
[msg "Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt
in ARGS (AE)"] [data "
https://docs.google.com/spreadsheet/formresponse?formkey=dhzsutftwllwzwf6lwd
yb0xcmkzsogc6mq&ifq
"]
[severity "CRITICAL"]
[hostname "lanaddicts.org"]
[uri "/test-form/"]
[unique_id "UAbUbnrJTaEAAHtoboQAAAAG"]

Wow! At first I didn’t know what to make of this. A Google Search led me to this Atomic Corp Wiki. I decided that the Apache Security Module must not like the Google Form URL that I need to carry around through the process in order to submit the form variables to Google. I decided to encode it and then decode it when needed to see if that would satisfy the Apache Security Module.

Guess what?  It works!!!!  This is a big relief as I have another user with almost the exact same error being reported and I am betting my updated plugin will fix their problem too.

If you want to try out an early build while I continue to test, you can find one here.